I believe the pam_ldap functions for session and account basically noops. I included them for the sake of trying everything. =) One more detail, when I attempt a telnet login, I get this the system log: Sep 14 11:19:30 amitri login: exiting pam_sm_acct_mgmt 0 Sep 14 11:19:31 amitri inetd[472]: pid 11655: exit status 1 When I ssh with the same LDAP account I get this: Sep 14 11:22:06 amitri sshd[11688]: Accepted password for josie from 10.2.7.101 port 1022 Sep 14 11:22:06 amitri sshd[11688]: Could not reverse map address 10.2.7.101. Sep 14 11:22:06 amitri sshd[11688]: exiting pam_sm_acct_mgmt 0 The telnet login seems to bother the inetd process....? Thank you for all the information and assistance, Kelli -----Original Message----- From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com]On Behalf Of Steve Langasek Sent: Thursday, September 14, 2000 11:05 AM To: pam-list@redhat.com Subject: RE: Telnet and PAM On Thu, 14 Sep 2000, Kelli Wolfe wrote: > > > Since you're using nss_ldap, if you use pam_unix it will find a password > > entry for all of your users -- but it will fail to authenticate users that > > are in LDAP, since AFAIK nss_ldap won't return the password field. > I'm confused. You're saying pam_unix will find passwords, but > won't authenticate? pam_unix calls getpwent(), which returns the equivalent of a line from your password file. If your system uses nss_ldap, then this password file entry won't have the password in it. > Should I be using pam_unix instead of pam_pwdb? I think I did that > yesterday and I couldn't login at the console at all. At this stage, switching to pam_unix probably won't simplify the configuration, so you probably shouldn't. In general, I think that pam_unix is a better choice, though. > > How do you have the PAM modules stacked in your /etc/pam.d/login file? > #%PAM-1.0 > auth required /lib/security/pam_securetty.so > auth required /lib/security/pam_nologin.so > auth sufficient /lib/security/pam_ldap.so > auth required /lib/security/pam_pwdb.so use_first_pass This looks ok... try the ldap password first, if it fails, try pwdb. > account sufficient /lib/security/pam_ldap.so > account required /lib/security/pam_pwdb.so > session sufficient /lib/security/pam_ldap.so > session required /lib/security/pam_pwdb.so > session required /lib/security/pam_limits.so Can anyone comment on how pam_ldap acts as an authorization/session module? It seems to me that the above can be simplified to read: account required /lib/security/pam_unix.so session required /lib/security/pam_unix.so session required /lib/security/pam_limits.so I don't /think/ that there's anything special that makes it necessary to use pam_ldap here. Switching to pam_unix will let you use nss_ldap in the background to pick up the right information. Still, I see nothing here that explains why login behaves differently from telnet, or why login only lets some users in. Steve Langasek postmodern programmer > -----Original Message----- > From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com]On > Behalf Of Steve Langasek > Sent: Thursday, September 14, 2000 10:00 AM > To: pam-list@redhat.com > Subject: RE: Telnet and PAM > > > On Thu, 14 Sep 2000, Kelli Wolfe wrote: > > > I've got some more information/weirdness on my Telnet problem. > > > If I sit at the console, I can login with an LDAP only account > > that has a clear text password. I cannot login with an LDAP > > account that has an encrypted password. I also cannot login > > with an account that is in both the LDAP and the passwd files. > > I cannot telnet with any of the above accounts. I can ssh with > > all of the accounts. > > How do you have the PAM modules stacked in your /etc/pam.d/login file? > Since you're using nss_ldap, if you use pam_unix it will find a password > entry for all of your users -- but it will fail to authenticate users that > are > in LDAP, since AFAIK nss_ldap won't return the password field. > > > It seems like I'm having a couple of problems with 'login'. > > I am running RedHat 6.2, so from what I understand, telnet is > > actually running login. Login doesn't seem to be recognizing > > the {crypt} attribute on the password. And something is > > causing remote telnet logins to immediately log back out. > > Before I started adding LDAP to the authentication, telnet > > worked just fine. > > Login should have no knowledge of the {crypt} attribute: this should all be > handled inside pam_ldap. If pam_ldap handles this correctly for ssh, I > don't > understand why it wouldn't handle it correctly for login. > > Steve Langasek > postmodern programmer > > > -----Original Message----- > > From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com]On > > Behalf Of Ben Collins > > Sent: Wednesday, September 13, 2000 12:30 PM > > To: pam-list@redhat.com > > Subject: Re: Telnet and PAM > > > > > > On Wed, Sep 13, 2000 at 09:04:10AM -0500, Kelli Wolfe wrote: > > > Hello, > > > > > > I've seen in the archives where people are using Telnet > > > and PAM together, how? I have OpenSSH authenticating > > > against OpenLDAP with nss_ldap and pam_ldat, but every > > > time I try to telnet to the machine I get the error: > > > Connection closed by foreign host. It appears in the > > > LDAP logs to authenticate properly, but then it just > > > dies. > > > > Sounds like something is getting a segv. Could be login (do console logins > > work?), or one of the *-ldap modules, or even PAM itself. > > > > -- > -----------=======-=-======-=========-----------=====------------=-=----- > - > > / Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux > \ > > ` bcollins@debian.org -- bcollins@openldap.org -- bcollins@linux.com > ' > > > `---=========------=======-------------=-=-----=-===-======-------=--=---' > > > > > > > > _______________________________________________ > > > > Pam-list@redhat.com > > https://listman.redhat.com/mailman/listinfo/pam-list > > > > > > > > _______________________________________________ > > > > Pam-list@redhat.com > > https://listman.redhat.com/mailman/listinfo/pam-list > > > > > > > > _______________________________________________ > > Pam-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pam-list > > > > _______________________________________________ > > Pam-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pam-list > _______________________________________________ Pam-list@redhat.com https://listman.redhat.com/mailman/listinfo/pam-list
